Integrated windows authentication and NetworkCredential

Discussion in 'ASP .Net Security' started by sorpor, May 1, 2004.

  1. sorpor

    sorpor Guest

    Hi,

    I have my asp.net webpage configured to use the integrated windows
    authentication in IIS. I need to use NetworkCredential object to get access
    to a webservice and I want to retrieve the authenticated user information to
    create it so user doesn't have to re-enter password. How can I do that?

    Thanks a lot!
    -sorpor
     
    sorpor, May 1, 2004
    #1
    1. Advertising

  2. This sounds like you want to pass an already authenticated user on your
    server to another server. You cannot easily do this (its called delegation)
    without specifically enabling this for the specific user account to be
    delegated. Note that this only applies to Windows Integrated auth (as this
    "limitation" is actually a security feature and the scenario you describe is
    termed a "double hop" issue with security credentials.

    Basic auth does not ehibit this behaviour as the security credentials are
    embedded as part of the Http header and so are easily extracted and passed
    on.

    HTH

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "sorpor" <> wrote in message
    news:uzui#...
    > Hi,
    >
    > I have my asp.net webpage configured to use the integrated windows
    > authentication in IIS. I need to use NetworkCredential object to get

    access
    > to a webservice and I want to retrieve the authenticated user information

    to
    > create it so user doesn't have to re-enter password. How can I do that?
    >
    > Thanks a lot!
    > -sorpor
    >
    >
     
    Paul Glavich [MVP - ASP.NET], May 2, 2004
    #2
    1. Advertising

  3. That said, if delegation is properly configured AND you are impersonating
    the user who authenticated, you can get a valid credential object via:

    System.Net.CredentialCache.DefaultCredentials

    Delegating user's credentials is one of the most often asked about, hardest
    to get working things that people try to do. You should find lots of
    answers via Google searches.

    Joe K.

    "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    message news:...
    > This sounds like you want to pass an already authenticated user on your
    > server to another server. You cannot easily do this (its called

    delegation)
    > without specifically enabling this for the specific user account to be
    > delegated. Note that this only applies to Windows Integrated auth (as this
    > "limitation" is actually a security feature and the scenario you describe

    is
    > termed a "double hop" issue with security credentials.
    >
    > Basic auth does not ehibit this behaviour as the security credentials are
    > embedded as part of the Http header and so are easily extracted and passed
    > on.
    >
    > HTH
    >
    > --
    > - Paul Glavich
    > Microsoft MVP - ASP.NET
    >
    >
    > "sorpor" <> wrote in message
    > news:uzui#...
    > > Hi,
    > >
    > > I have my asp.net webpage configured to use the integrated windows
    > > authentication in IIS. I need to use NetworkCredential object to get

    > access
    > > to a webservice and I want to retrieve the authenticated user

    information
    > to
    > > create it so user doesn't have to re-enter password. How can I do that?
    > >
    > > Thanks a lot!
    > > -sorpor
    > >
    > >

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), May 2, 2004
    #3
  4. I should also point out (thanks to the clarification by Ken Shafer), that if
    Kerberos is used, then delegation is possible, however if NTLM is used, then
    delegation is not possible. This is a limitation with the NTLM protocol.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > That said, if delegation is properly configured AND you are impersonating
    > the user who authenticated, you can get a valid credential object via:
    >
    > System.Net.CredentialCache.DefaultCredentials
    >
    > Delegating user's credentials is one of the most often asked about,

    hardest
    > to get working things that people try to do. You should find lots of
    > answers via Google searches.
    >
    > Joe K.
    >
    > "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    > message news:...
    > > This sounds like you want to pass an already authenticated user on your
    > > server to another server. You cannot easily do this (its called

    > delegation)
    > > without specifically enabling this for the specific user account to be
    > > delegated. Note that this only applies to Windows Integrated auth (as

    this
    > > "limitation" is actually a security feature and the scenario you

    describe
    > is
    > > termed a "double hop" issue with security credentials.
    > >
    > > Basic auth does not ehibit this behaviour as the security credentials

    are
    > > embedded as part of the Http header and so are easily extracted and

    passed
    > > on.
    > >
    > > HTH
    > >
    > > --
    > > - Paul Glavich
    > > Microsoft MVP - ASP.NET
    > >
    > >
    > > "sorpor" <> wrote in message
    > > news:uzui#...
    > > > Hi,
    > > >
    > > > I have my asp.net webpage configured to use the integrated windows
    > > > authentication in IIS. I need to use NetworkCredential object to get

    > > access
    > > > to a webservice and I want to retrieve the authenticated user

    > information
    > > to
    > > > create it so user doesn't have to re-enter password. How can I do

    that?
    > > >
    > > > Thanks a lot!
    > > > -sorpor
    > > >
    > > >

    > >
    > >

    >
    >
     
    Paul Glavich [MVP - ASP.NET], May 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    677
  2. Andrew
    Replies:
    4
    Views:
    551
    Marty U.
    Jun 23, 2004
  3. Brett Smith
    Replies:
    2
    Views:
    454
    Brett Smith
    Oct 26, 2004
  4. Will
    Replies:
    5
    Views:
    2,625
  5. Patrick Fogarty

    Authentication not working on HTTP-POST using NetworkCredential

    Patrick Fogarty, Aug 25, 2003, in forum: ASP .Net Web Services
    Replies:
    2
    Views:
    244
    Feroze [MSFT]
    Aug 27, 2003
Loading...

Share This Page